From 9de0789ee23e6978ef1eb630d6483dcfbc63e027 Mon Sep 17 00:00:00 2001 From: Gk Date: Sun, 12 Apr 2026 12:55:33 -0700 Subject: [PATCH 1/2] security: add PEP 740 attestations to PyPI publish workflow - Pin pypa/gh-action-pypi-publish to SHA (v1.14.0) - Enable attestations: true for PEP 740 provenance - Add test job before publish (tests must pass before release) - Add explicit permissions: { contents: read } at workflow level - Bump version to 0.1.1 - Document attestation in README Co-Authored-By: Claude Opus 4.6 --- .github/workflows/publish.yml | 31 +++++++++++++++++++++++++++---- README.md | 6 ++++++ pyproject.toml | 2 +- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2d867fd..b824775 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,16 +5,37 @@ on: tags: - "v*" +permissions: + contents: read + jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + with: + python-version: "3.12" + + - name: Install dependencies + run: pip install -e ".[dev]" 2>/dev/null || pip install -e . && pip install pytest + + - name: Run tests + run: pytest tests/ -v --tb=short + publish: + name: Publish to PyPI + needs: test runs-on: ubuntu-latest permissions: id-token: write + contents: read steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.7 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Set up Python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.3.0 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" @@ -25,4 +46,6 @@ jobs: run: python -m build - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.12.3 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 + with: + attestations: true diff --git a/README.md b/README.md index e6ef832..97ea027 100644 --- a/README.md +++ b/README.md @@ -268,6 +268,12 @@ See [`/examples`](examples/) for working code: --- +## Releases + +Releases are published to PyPI with PEP 740 attestations via GitHub Actions Trusted Publishing. + +--- + ## License MIT. See [LICENSE](LICENSE). diff --git a/pyproject.toml b/pyproject.toml index 1a598ac..1412570 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "cueapi-sdk" -version = "0.1.0" +version = "0.1.1" description = "The official Python SDK for CueAPI — scheduling infrastructure for agents" readme = "README.md" license = { text = "MIT" } From 7f2e4e6ec0b5adcee188974bffc3255bdf1d43f8 Mon Sep 17 00:00:00 2001 From: Gk Date: Sun, 12 Apr 2026 12:57:55 -0700 Subject: [PATCH 2/2] fix: remove test job from publish workflow SDK tests are integration tests requiring staging API + service containers. They run on PRs via feature-to-main.yml. The publish workflow trusts that tests passed during the PR process. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/publish.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b824775..d3ed6f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,25 +9,8 @@ permissions: contents: read jobs: - test: - name: Test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 - with: - python-version: "3.12" - - - name: Install dependencies - run: pip install -e ".[dev]" 2>/dev/null || pip install -e . && pip install pytest - - - name: Run tests - run: pytest tests/ -v --tb=short - publish: name: Publish to PyPI - needs: test runs-on: ubuntu-latest permissions: id-token: write